b"OFFICE OF INSPECTOR GENERAL\n                    Audit Report\n\nEvaluation of the Railroad Retirement Board\xe2\x80\x99s\n  Benefit and Payment Operations System\n           Continuous Monitoring\n\n       This abstract summarizes the results of the subject audit. The\n       full report includes information protected from disclosure and\n       has been designated for limited distribution pursuant to\n       5 U.S.C. \xc2\xa7 552\n\n\n\n\n                     Report No. 11-12\n                    September 29, 2011\n\n\n\n\n  RAILROAD RETIREMENT BOARD\n\x0c                              REPORT ABSTRACT\n Evaluation of the Railroad Retirement Board's Benefit and Payment Operations\n                         System Continuous Monitoring\n\n\nThe Office of Inspector General (OIG) for the Railroad Retirement Board (RRB)\nconducted an evaluation of the activities conducted at the RRB for the continuous\nmonitoring of the Benefit and Payment Operations system to determine adherence with\nexisting policy, procedures, guidance, and standards. This evaluation also directly\nsupports the Office of Inspector General\xe2\x80\x99s mandated Federal Information Security\nManagement Act of 2002 evaluation.\n\nThe objective of the continuous monitoring program is to determine if the set of\ndeployed security controls continue to be effective over time in light of the inevitable\nchanges that occur. Continuous monitoring programs provide organizations with an\neffective mechanism to update certain security documents. In fiscal year 2010, the\nRRB hired a contractor to perform continuous monitoring testing of the controls over the\nBenefit and Payment Operations system.\n\nIn a separately issued Restricted Distribution report, we communicated that the RRB\xe2\x80\x99s\ncontinuous monitoring process does not fully comply with existing policy, procedures,\nguidance, and standards. As a result, the RRB\xe2\x80\x99s significant deficiency in internal control\nover the certification and accreditation process remains in effect because of an\nineffective review process for contractor deliverables. We made five detailed\nrecommendations to RRB management for improvement in:\n\n      controls over the review process of the continuous monitoring deliverables;\n      the overall planning process for the continuous monitoring program; and\n      the Office of Programs\xe2\x80\x99 portion of the RRB\xe2\x80\x99s agency-wide plan of action and\n      milestones.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\x0c"